Researchers have discovered that replacement screens for smartphones could be manipulated to take control of the device and steal users' personal information. According to a team of experts at Israel's Ben-Gurion University of the Negev, hackers could potentially use parts costing less than $10 (£8) to maliciously override a smartphone and siphon data from the repaired handset.
In a paper presented at the 2017 Usenix Workshop on Offensive Technologies in Vancouver, Canada, researchers demonstrated the attack by hijacking a Huawei Nexus 6P smartphone running the running the Android 6.0.1 operating system, and an LG G Pad 7.0 tablet using a malicious chip embedded within the replacement display screen.
"Phone touchscreens, and other similar hardware components such as orientation sensors, wireless charging controllers, and NFC readers, are often produced by third-party manufacturers and not by the phone vendors themselves," researchers explain. "While phones suffering from fractured screens may be repaired at phone vendor-operated facilities such as Apple Stores, it is often more convenient and cost-effective for phone users to use third-party repair shops.
"In contrast to 'pluggable' drivers, such as USB or network drivers, the component driver's source code implicitly assumes that the component hardware is authentic and trustworthy. As a result of this trust, very few integrity checks are performed on the communications between the component and the device's main processor."
By embedding a malicious integrated chip within a third-party touchscreen (as seen in the video embedded below), the research team was able to manipulate the affected device's communications system and stealthily carry out a slew of nefarious actions.
The low-cost, "chip-in-the-middle" attack would allow a threat actor to record and transmit unlock patterns and keyboard inputs, install malicious apps and software and direct the user towards phishing sites.
The compromised device could also be used to take a photo of the user and send it to the attacker via email.
Researchers also demonstrated another type of attack that uses the malicious chip to exploit vulnerabilities in the device's operating system.
To carry out the demonstrated attack, researchers used an Arduino platform running on an ATmega328 micro-controller module as well as an STM32L432 microcontroller, noting that most other microcontrollers would work just as well.
Although the hack was demonstrated on Android devices, they said it could work on iOS devices as well.
Researchers warned that this attack uses booby-trapped parts that look identical to official ones, making it difficult for even experienced technicians to tell the difference. The attack is also a fileless one which means it would not be detected by anti-virus software as well.
"The threat of a malicious peripheral existing inside consumer electronics should not be taken lightly," researchers said, adding that such attacks are "feasible, scalable and invisible to most detection techniques."
"A well motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets," they warned. "System designers should consider replacement components to be outside the phone's trust boundary, and design their defenses accordingly."